Key Service Statistics

Row

Executive Summary

Rapid7’s Managed Detection and Response (MDR) service generated 1,234 alerts to identify malicious activity in Company Name’s’s environment in July. MDR did not identify malicious activity which required incident response during this period.

Row

Total Logs collected

476,860,085

Alerts Generated

1,234

Incident Reports

5

Row

Collected Log Data

Alerts Generated

Incident Reports

Row

Collected Log Data

The following table identifies the data sources from which InsightIDR collected logs last month, the log set in InsightIDR log search where the logs are stored, and the number of log files collected per data source. The MDR team uses this data when investigating an incident.

You can also view your logs in InsightIDR by clicking Log Search from the left menu.

Row

Row

Alerts

The MDR Security Operations Center performed in-depth validation of 1,234 alerts by priority. The MDR team applied user behavior analytics to retrace the user and activity behind each alert. As part of this analysis, the MDR team reviewed domains and URLs accessed by users, processes executed by users, historical logon activity, and system roles associated with the alerts.

For more information about alert priorities and closed alert dispositions, go to the Key Terms and Definitions tab.

Row

Closed Alerts by Priority

Alerts by Priority.

Row

Critical Priority

High Priority

Medium Priority

Low Priority

Row

Critical Priority

High Priority

Medium Priority

Low Priority

Row

List of Closed Alerts

This table lists the alerts that were closed during the month of July. The table is generated by matching signatures to logs and events from the Company Name environment.

Row

Closed Alerts by Disposition

Alerts by Disposition.

Row

Not Reported

Reported

Row

Incidents

MDR did not respond to any security incidents during the month of July.

Row

Threat Hunts Performed

During the month of July, MDR’s threat hunters performed 4 hunts in Company Name’s environment. Details of these threat hunts can be found in the table below. If evidence of compromise was identified as a result of these threat hunt(s), our incident response process would have been initiated (see the ‘Incidents’ section of this report).

Hunt Name Hunt Description Hunt Timeframe
ScreenConnect Cross-Organizational Usage Rapid7 undertook a hunting project with the goal of using ConnectWise/ScreenConnect client’s Public Key Thumbprints to determine instances in which a user or organization could remotely interact with assets in more than one of our customer environments. Instances of this activity were then investigated to determine if the activity associated with these installations was illegitimate.

This hypothesis stems from multiple recent incident response engagements which have found repeated use of ConnectWise/ScreenConnect clients for remote access using the same Public Key Thumbprints across multiple environments.		 2022-04-28 - 2022-07-28
Historical Follina Execution - CVE-2022-30190 On May 30, 2022, Microsoft Security Response Center (MSRC) published a blog on CVE-2022-30190, an unpatched vulnerability in the Microsoft Support Diagnostic Tool (msdt) in Windows. Microsoft’s advisory on CVE-2022-30190 indicates that exploitation has been detected in the wild. While Rapid7 had pre-existing alerts capable of detecting most execution instances of this vulnerability, it was thought prudent to conduct a hunt for uncommon execution techniques that could evade historical alert logic. For more information on this vulnerability please review Rapid7’s blog at https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/ 2022-05-03 - 2022-06-03
Activity Consistent with Compromised Home Routers A customer contacted Rapid7 MDR about anomalous authentication attempts they had observed. Rapid7’s investigation identified that the activity was consistent with compromised home router. Rapid7 MDR conducted a hunt for this activity across all Rapid7 MDR clients. 2022-05-25 - 2022-05-27
Common Linux Cron Job Persistence Techniques The objective of this hunt is to identify instances of common persistence techniques employed against Linux systems using cron jobs. 2022-06-01 - 2022-06-28

Row

Newly Created Rules and Suppressions

In July, Rapid7s MDR’s Threat Intelligence and Detection Engineering (TIDE) team created 202 new detection rules. The TIDE team also implemented 1 suppressions, tuning the rules listed under “Rules with new Suppressions.” Each month, TIDE actively researches new detections to increase coverage, and implements suppressions to raise the fidelity of existing detections which helps cover the Company Name environment.

Newly Created Rules

Name Description
Amazon GuardDuty - Discovery:S3/AnomalousBehavior This finding informs you that an IAM entity has invoked an S3 API to discover S3 buckets in your environment, such as ListBuckets. This type of activity is associated with the discovery stage of an attack wherein an attacker gathers information to determine if your AWS environment is susceptible to a broader attack. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location.
This API was identified as anomalous by GuardDuty’s anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see Finding details.
Amazon GuardDuty - Exfiltration:S3/AnomalousBehavior This finding informs you that an IAM entity in your AWS environment is making API calls that involve an S3 bucket and this activity differs from that entity’s established baseline. The API call used in this activity is associated with the exfiltration stage of an attack, wherein an attacker attempts to collect data. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location.
This API was identified as anomalous by GuardDuty’s anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see Finding details.
Amazon GuardDuty - Impact:S3/AnomalousBehavior.Delete This finding informs you that an IAM entity in your AWS environment is making API calls that involve an S3 bucket, and this behavior differs from that entity’s established baseline. The API call used in this activity is associated with an attack that attempts to delete data. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location.
This API was identified as anomalous by GuardDuty’s anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see Finding details.
Amazon GuardDuty - Impact:S3/AnomalousBehavior.Permission This finding informs you that an IAM entity in your AWS environment has changed a bucket policy or ACL on the listed S3 buckets. This change may publicly expose your S3 buckets to all the authenticated AWS users.
This API was identified as anomalous by GuardDuty’s anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see Finding details.
Amazon GuardDuty - Impact:S3/AnomalousBehavior.Write This finding informs you that an IAM entity in your AWS environment is making API calls that involve an S3 bucket, and this behavior differs from that entity’s established baseline. The API call used in this activity is associated with an attack that attempts to write data. This activity is suspicious because the IAM entity invoked the API in an unusual way. For example, an IAM entity with no previous history invokes an S3 API, or an IAM entity invokes an S3 API from an unusual location.
This API was identified as anomalous by GuardDuty’s anomaly detection machine learning (ML) model. The ML model evaluates all the API requests in your account and identifies anomalous events that are associated with techniques used by adversaries. It tracks various factors of the API requests, such as the user who made the request, the location from which the request was made, the specific API that was requested, the bucket that was requested, and the number of API calls made. For more information on which factors of the API request are unusual for the user identity that invoked the request, see Finding details.
Attacker Technique - Python Reverse Shell
Attacker Technique - Reg.exe disabling the User Access Control (UAC) remote restriction This detection identifies the use of reg.exe to disable the User Access Control (UAC) remote restriction. By disabling this restriction, a “Local” user account that is in the Administrator group should be able to remotely connect and access the C$ (root drive) of any Windows systems in the network. Attackers use this technique as part of their lateral movement attack to gain access deeper into the network.
Attacker Tool - Get-GPPPassword / Net-GPPPassword This detection identifies the use of Get-GPPPassword, a PowersShell-based tool for dumping passwords for accounts pushed through Group Policy Preferences, and Net-GPPPassword, a .NET implementation of Get-GPPPassword.
Backdoor - RDAT This detection identifies the commands matching the behavior of the RDAT Backdoor as well as its executable file properties.
ET MALWARE Bitter APT Payload Request This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Bitter APT ZxxZ Downloader CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Cobalt Strike Activity (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Downloaded .PNG With Embedded File (.sh) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Gamaredon APT Related Activity (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Gamaredon APT Related Activity (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Golang/Kaos/YamaBot CnC Activity This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Golang/Kaos/YamaBot CnC Activity M2 (POST) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE IIS Backdoor CnC Command Inbound This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Lazarus APT Related Valefor/VSingle CnC Beacon This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Lazarus APT Related VSingle Backdoor Activity (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE MSIL/Filecoder.EK CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE MSIL/PSW.Agent.RXP Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE MSIL/Spy.Agent.AES Zipped Exfil This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE MSIL/Spy.Agent.CSS Exfil This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE MSIL/Spy.Agent.DYS Exfil This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE NoMercy Data Exfiltration M1 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE NoMercy Data Exfiltration M2 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE NoMercy Stealer CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Cobalt Strike Domain (zuyonijobo .com) in TLS SNI This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL Cert (Microsoft Security localhost) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Possible Raspberry Robin Activity (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE RKO Remote File Upload Attempt This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Suspected Brute Ratel CnC Activity (POST) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Unknown Maldoc CnC Activity (2022-07-25) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Fynloski.AA CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/H0lyGh0st CnC Activity This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/H0lyGh0st Ransomware CnC Activity (GET Public Key) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/H0lyGh0st Ransomware CnC Response This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/H0lyGh0st Ransomware Exfil Activity (POST) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/HackTool.Agent.CS SMTP Scanner CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Kryptik.HQAF Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Loli Stealer CnC Activity This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/MSIL.Heracles Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Sality.NBA CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Shrine.A CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Stealerium Stealer Checkin via Discord This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/SystemHijack.gen CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/TrojanDownloader.AutoHK.MT CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Unknown VBScript Backdoor Activity (GET) This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/VB.NBI CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/VB.QPK CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Wacapew CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win32/Wacapew.C!ml CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE Win64/Agent.qwiakk CnC Checkin This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
ET MALWARE X-Files Stealer CnC Exfil Activity M2 This detection identifies malware related activity using Rapid7’s Network Traffic Analysis sensor. Malicious actors often use malware in order to gain access to victim organizations.
Privilege Escalation - Changing $HOME Environment Variable, Possible TCC Bypass This detection identifies a shell’s $HOME environment variable being changed using the launchctl utility. A malicious actor may do this as part of an attempt to bypass TCC, or Transparency, Consent, and Control, macOS’s privilege management system. By changing the $HOME environment variable, an actor can force the TCC system to read privileges from a database crafted by the attacker, rather than the actual protected database. See CVE-2020-9934 for additional information on this vulnerability.
Privilege Escalation - Creating Database to Bypass TCC This detection identifies commands intended to create a new TCC database. TCC, or Transparency, Consent, and Control, is macOS’s privilege management system. A malicious actor can force the TCC system to read from a database that they have crafted, rather than the system’s own protected database, in order to grant themselves permissions they would not usually have. See CVE-2020-9934 for additional information on this vulnerability.
Suspicious Process - Apache Spark Executing Commands This detection identifies suspicious commands being executed by an Apache Spark process. This may be indicative of a malicious actor exploiting CVE-2022-33891, which can allow for execution of arbitrary commands. For additional information please see https://attackerkb.com/topics/5FyKBES4BL/cve-2022-33891
Suspicious Process - BCDEdit Enabling Safeboot This detection identifies the BCDEdit utility being used to enable safeboot, which will boot the system into safe mode. Ransomware has been observed doing this as a way to evade detection, as most EDR products do not function in safe mode.
Suspicious Process - dotCMS Executing Child Processes This detection identifies processes related to the dotCMS Content Management System that are spawning subprocesses. This may be indicative of exploitation of CVE-2022-26352, which allows for upload of arbitrary JSP files that can then be used for execution of commands on the host.
Suspicious Process - Kill Process then Delete Executable This detection identifies commands in which a process is killed, followed by an executable being deleted. This is performed by actors attempting to remove artifacts from a system, and has specifically been observed in the Vidar Infostealer.
Suspicious Process - Task Created and Output Redirected to Admin Share This detection identifies a scheduled task being created with schtasks.exe and the command’s output being redirected to an Admin SMB share. This may be indicative of the H0lyGh0st ransomware.
For additional information please see:
https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/
Suspicious Process - Unknown Binary Executing From com.apple Directory This detection identifies unknown binaries executing from a com.apple directory. These directories typically contain code included with the operating system by Apple, and other applications should not be executing from these directories. Malicious actors have been observed using com.apple directories as a location for staging malicious binaries.
Suspicious Process - Unknown File with Microsoft Product Information This detection identifies unknown executables that are using executable metadata identical to that of Microsoft binaries. This presents as “Microsoft® Windows® Operating System” in the product name field and “Microsoft Corporation” as the author. Malicious actors may do this in an attempt to evade detection by masquerading as a legitimate Microsoft binary.
Threat Command - A blacklist containing a company asset This detection identifies a blacklist containing a company asset.
Threat Command - A company asset communicating with a C&C server This detection identifies a company asset communicating with a C&C server.
Threat Command - A company asset listed on a target list This detection identifies a company asset listed on a target list.
Threat Command - A company certificate with SSL issues detected This detection identifies a company certificate with SSL issues detected.
Threat Command - A company development environment publicly exposed This detection identifies a company development environment publicly exposed.
Threat Command - A company domain is using OpenSSL library with a detected vulnerability This detection identifies a company domain is using OpenSSL library with a detected vulnerability.
Threat Command - A company domain is vulnerable to Heartbleed This detection identifies a company domain is vulnerable to Heartbleed.
Threat Command - A company domain is vulnerable to ROBOT This detection identifies a company domain is vulnerable to ROBOT.
Threat Command - A company domain name is embedded in malware code This detection identifies a company domain name is embedded in malware code.
Threat Command - A company domain name is embedded in malware code This detection identifies a company domain name is embedded in malware code.
Threat Command - A company domain name is embedded in malware code This detection identifies a company domain name is embedded in malware code.
Threat Command - A company domain name is embedded in malware code This detection identifies a company domain name is embedded in malware code.
Threat Command - A company domain SSL certificate has expired This detection identifies a company domain SSL certificate has expired.
Threat Command - A company domain supports non-compliant cipher-suites This detection identifies a company domain supports non-compliant cipher-suites.
Threat Command - A company domain vulnerable to SQL injection This detection identifies a company domain vulnerable to SQL injection.
Threat Command - A company domain with directory listing publicly exposed This detection identifies a company domain with directory listing publicly exposed.
Threat Command - A company email address reported as spamming This detection identifies a company email address reported as spamming.
Threat Command - A company executive is mentioned on a target list This detection identifies a company executive is mentioned on a target list.
Threat Command - A company executive PII offered for sale This detection identifies a company executive PII offered for sale.
Threat Command - A company internal login page is accessible outside of the organization This detection identifies a company internal login page is accessible outside of the organization.
Threat Command - A company login page with SSL certificate issues This detection identifies a company login page with SSL certificate issues.
Threat Command - A company product is offered for sale on the black market This detection identifies a company product is offered for sale on the black market.
Threat Command - A company website reported as cardable This detection identifies a company website reported as cardable.
Threat Command - A company website reported as defaced This detection identifies a company website reported as defaced.
Threat Command - A company website reported as defaced This detection identifies a company website reported as defaced.
Threat Command - A company website vulnerable to XSS attacks This detection identifies a company website vulnerable to XSS attacks.
Threat Command - A company website vulnerable to XSS attacks This detection identifies a company website vulnerable to XSS attacks.
Threat Command - A copy of an app This detection identifies a copy of an app.
Threat Command - A hacking tool targeting the company This detection identifies a hacking tool targeting the company.
Threat Command - A negative use of the company’s name was found This detection identifies a negative use of the company’s name was found.
Threat Command - A problem in the company DNS server This detection identifies a problem in the company DNS server.
Threat Command - A tweet mentioned a company asset This detection identifies a tweet that mentioned a company asset.
Threat Command - A vulnerability in company’s in-use technology was detected This detection identifies a vulnerability in company’s in-use technology.
Threat Command - An attempt to recruit a company insider This detection identifies an attempt to recruit a company insider.
Threat Command - An insider offering company information for sale This detection identifies an insider offering company information for sale.
Threat Command - An intent to hack the company website This detection identifies an intent to hack the company website.
Threat Command - An SSL problem in a company’s domain detected This detection identifies an SSL problem in a company’s domain detected.
Threat Command - App in a malicious store This detection identifies an app in a malicious store.
Threat Command - App in a store with a downloader This detection identifies an app in a store with a downloader.
Threat Command - Asset Mentions Exposed On Github This detection identifies asset Mentions Exposed On Github.
Threat Command - Attempted job scam using company-associated identity This detection identifies an attempted job scam using company-associated identity.
Threat Command - Company accounts suspected as Mule Accounts This detection identifies company accounts suspected as Mule Accounts.
Threat Command - Company accounts with credit balance offered for sale This detection identifies company accounts with credit balance offered for sale.
Threat Command - Company assets targeted in a campaign This detection identifies company assets targeted in a campaign.
Threat Command - Company confidential documents leaked This detection identifies company confidential documents leaked.
Threat Command - Company database leaked This detection identifies a company database leak.
Threat Command - Company DNS servers have AXFR transfer enabled This detection identifies company DNS servers that have AXFR transfer enabled.
Threat Command - Company email contents leaked This detection identifies company email contents leaked.
Threat Command - Company employee credentials leaked from a 3rd party service This detection identifies company employee credentials leaked from a 3rd party service.
Threat Command - Company employee credentials leaked from a 3rd party service This detection identifies company employee credentials leaked from a 3rd party service.
Threat Command - Company employee private details leaked This detection identifies company employee private details leaked.
Threat Command - Company employees are on a target list This detection identifies company employees are on a target list.
Threat Command - Company executive login credentials leaked This detection identifies company executive login credentials leaked.
Threat Command - Company executive SSN leaked This detection identifies a company executive SSN leak.
Threat Command - Company gift cards offered for sale This detection identifies company gift cards offered for sale.
Threat Command - Company internal servers credentials leaked This detection identifies company internal servers credentials leaked.
Threat Command - Company internal service publicly exposed This detection identifies a company internal service that was publicly exposed.
Threat Command - Company IP address was abused This detection identifies company IP address that was abused.
Threat Command - Company phishing website This detection identifies a phishing website of your company.
Threat Command - Company product offered for sale illegitimately This detection identifies a company product offered for sale illegitimately.
Threat Command - Company related credentials offered for sale This detection identifies company related credentials offered for sale.
Threat Command - Company sensitive data leaked This detection identifies company sensitive data that was leaked.
Threat Command - Company software code leaked This detection identifies company software code leaked.
Threat Command - Company was mentioned on suspicious Telegram channel This detection identifies company was mentioned on suspicious Telegram channel.
Threat Command - Company’s secret is exposed publicly on GitHub This detection identifies a company’s secret exposed publicly on GitHub.
Threat Command - Company-related credentials offered for sale This detection identifies company-related credentials offered for sale.
Threat Command - Company-related files or folders were found in a ransomware leak This detection identifies company-related files or folders were found in a ransomware leak.
Threat Command - Confidential documents This detection identifies confidential documents.
Threat Command - Credit card dump offered for sale This detection identifies credit card dump offered for sale.
Threat Command - Credit cards for sale This detection identifies credit cards for sale.
Threat Command - Custom query matched This detection identifies custom query matched.
Threat Command - Details of a company active credit card were leaked This detection identifies details of a company active credit card were leaked.
Threat Command - Exposed services This detection identifies exposed services.
Threat Command - Facebook unauthorized account This detection identifies an unauthorized Facebook account.
Threat Command - Flood control summary alert This detection identifies flood control summary alert.
Threat Command - Indication of company website infection This detection identifies indication of company website infection.
Threat Command - Indication of scam intent involving the company sector/region This detection identifies indication of scam intent involving the company sector/region.
Threat Command - Indication of scam or attack This detection identifies indication of scam or attack.
Threat Command - Intellectual property related to company sector/region offered for sale or download This detection identifies intellectual property related to company sector/region offered for sale or download.
Threat Command - IntelliFind queries This detection identifies intelliFind queries.
Threat Command - LinkedIn profile impersonating key company employee This detection identifies a LinkedIn profile impersonating key company employee.
Threat Command - Malicious application resembling company assets This detection identifies a malicious application resembling company assets.
Threat Command - Old and unmaintained website is exposed publicly This detection identifies an old and unmaintained website is exposed publicly.
Threat Command - Old internal login page is exposed publicly This detection identifies an old internal login page is exposed publicly.
Threat Command - Open ports This detection identifies open ports.
Threat Command - Open ports on company databases This detection identifies open ports on company databases.
Threat Command - Phishing kit for sale This detection identifies phishing kit for sale.
Threat Command - Phishing watch This detection identifies phishing watch.
Threat Command - Phishing websites This detection identifies phishing websites.
Threat Command - Potential phishing email This detection identifies potential phishing email.
Threat Command - Potential phishing website This detection identifies a potential phishing website.
Threat Command - Problem in company domain mail server DMARC/SPF This detection identifies a problem in the company domain mail server DMARC/SPF.
Threat Command - Proxy/Socks servers connected to the company are offered for sale This detection identifies proxy/Socks servers connected to the company are offered for sale.
Threat Command - Public scan report containing company assets This detection identifies a public scan report containing company assets.
Threat Command - RDP servers connected to the company are offered for sale This detection identifies RDP servers connected to the company are offered for sale.
Threat Command - Suspected phishing domain This detection identifies suspected phishing domain.
Threat Command - Suspected phishing domain content update This detection identifies suspected phishing domain content update.
Threat Command - Suspected phishing domain MX update This detection identifies suspected phishing domain MX update.
Threat Command - Suspected phishing domain registrant update This detection identifies a suspected phishing domain registrant update.
Threat Command - Suspected Phishing Domain Registrar Update This detection identifies suspected Phishing Domain Registrar Update.
Threat Command - Suspicious company executive social media profile This detection identifies a suspicious company executive social media profile.
Threat Command - The details of a company active credit card offered for sale This detection identifies the details of a company active credit card that were offered for sale.
Threat Command - The details of a company expired credit card were leaked This detection identifies the details of a company expired credit card that were leaked.
Threat Command - Tools for hacking company user accounts offered for sale This detection identifies tools for hacking company user accounts that were offered for sale.
Threat Command - Twitter unauthorized account This detection identifies an unauthorized Twitter account.
Threat Command - Unauthorized brand use This detection identifies unauthorized brand use.
Threat Command - Unauthorized use of company trademark in a mobile application This detection identifies unauthorized use of company trademark in a mobile application.
Threat Command - Unauthorized use of company trademark on a social media profile This detection identifies unauthorized use of company trademark on a social media profile.
Threat Command - Unencrypted company login page This detection identifies unencrypted company login page.
Threat Command - Unencrypted internal company login page This detection identifies unencrypted internal company login page.
Threat Command - Unencrypted login page This detection identifies unencrypted login page.
Threat Command - Vulnerabilities scenario This detection identifies a new vulnerability in a technology used by the company was published.
Threat Command - Vulnerabilities update scenario This detection identifies vulnerabilities update scenario.
Threat Command - Vulnerability in the company application detected This detection identifies a vulnerability in the company application.
Threat Command - Vulnerability or malware related to company sector/region detected This detection identifies vulnerability or malware related to company sector/region.
Threat Command - Vulnerable service This detection identifies a vulnerable service.

Rules With New Suppressions

  • Attacker Tool - PWDump

Your Environment

Row

Endpoints

The Insight Agent is deployed on 1,852 out of 1,200 endpoints that your organization asked the MDR team to monitor. Nice work! This allows us to provide forensic analysis, hunt activities, and alert recommendations for 100% of your planned endpoints.

You have a total of 999,999,999 endpoint licenses. If the endpoint data provided in this report is inconsistent with planned deployment targets, contact your Customer Advisor.

Row

Endpoint Agents

154

Endpoint Agents

1,852

Endpoint Agents

1,200

Endpoint Agents

999,999,999

Row

Users

This section provides the total number of administrators identified in your environment.

Row

Administrators

14

Row

Non-Expiring Passwords

Non-expiring passwords are at high risk of credential theft and reuse. Malicious actors could reuse these passwords on third-party sites. Rapid7 recommends limiting the use of non-expiring passwords. Implementing user password rotation reduces the risk of unauthorized access from harvested credentials.

Row

Non Expiring

14

Service Accounts

0

Row

Users with Non-Expiring Passwords

Row

IDR Identified Administrators

The following users were observed performing administrator-level actions in your environment. Rapid7 recommends reconciling this list with the approved administrators for your organization.

Row

Imposter Domain Names

Rapid7 identified multiple registered domains potentially designed to be imposters of the Company Name registered domains. Rapid7 recommends reviewing and blocking the identified domains, if they serve no business need.


Imposter Domain for companyname.com

Key Terms and Definitions

Row

Managed Detection and Response Overview

When you use Rapid7 MDR services, your logs are collected and matched against curated rules. Each time an event matches certain rule criteria, an alert is sent to our MDR team, and they respond with an investigation. The following sections describe how Rapid7s MDR team defines the priority, status, and disposition of alerts, and provide an overview of our incident reports.

Row

Alert Priority

Rapid7 will prioritize alerts based on a combination of the likelihood of malicious activity and the potential impact of the detected activity.

Priority Description
Critical Activity occurred in your environment that was almost certainly a malicious event. Critical alerts require immediate response and are the highest priority for the MDR team.
High Activity occurred in your environment that was most likely a malicious event and should be prioritized for analyst review.
Medium Activity occurred in your environment that may be a malicious event and requires analyst review.
Low Activity occurred in your environment that is likely not malicious but still requires review by a Rapid7 MDR Analyst.

Row

Incident Severity

Rapid7 determines the severity of an incident based on a number of factors, including:

  • Intent: Whether the threat appears to be targeted, opportunistic, or automated, and the likely objectives of the attack.
  • Scope: The number and criticality of systems and users impacted.
  • Ongoing Activity: Whether the incident appears to have been fully contained, and whether the attacker remains active within the environment.
  • Impact: The criticality of in-scope assets or users, evidence of data exfiltration, etc.
Severity Incident Definition Example Incident(s)
Low A non-targeted, low-impact threat involving a small number of systems or users which is already contained. A non-targeted phishing attack with no evidence that the recipient(s) provided credentials.
Medium A non-targeted, low-impact threat impacting a small number of systems or users, but requiring additional actions from you to fully contain and eradicate the threat. Malware delivered via a non-targeted phishing attack that is only partially blocked on an endpoint.
High A high risk or high impact threat with no sign of active attacker activity Unauthorized interactive network access with evidence of reconnaissance, privilege escalation, lateral movement, data exfiltration, or other signs of a late-stage compromise.

Row

Closed Alert Dispositions

Once an alert has been investigated, it is marked as Closed, and is assigned one of the following dispositions:

Disposition Description
Benign This event was associated with non-malicious behaviors in the context of your environment and did not require additional validation from your organization to close.
Reported Benign This event was reported to your organization and was confirmed as benign. For example, after further investigation, Rapid7 confirmed that a suspicious authorization or honeypot was benign.
Reported Malicious The event represented by this alert was associated with malicious activity and was reported to your organization. Your organization confirmed that this event was unexpected behavior and further analysis indicated a compromise. The communication resulted in changes to your environment, such as password resets or reconfigured services.
Security Test Rapid7 determined that this alert was related to security testing, and did not require customer validation to close.
Reported Security Test Rapid7 determined that this alert was associated with alerts often generated by security testing, and confirmed with your organization.
Reported Unknown Rapid7 reported this alert to your organization, but we did not complete an in-depth investigation. Your organization indicated that this event fulfilled a business use-case or that it was of no concern.
System Closed Alerts that were closed automatically without further analyst review. This includes alerts that on their own do not indicate malicious activity, but are reviewed if they are related to a high fidelity alert.
False Positive An alert was triggered that was not related to the rule logic. Rapid7 triaged the event, and submitted a tuning request to the intel team.
PUP A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. Such software may use an implementation that can compromise privacy or weaken the computer’s security, but is not considered malicious. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. For example, potentially unwanted programs can include software that displays intrusive advertising (adware), tracks the user’s Internet usage to sell information to advertisers (spyware), or injects its own advertising into web pages that a user looks at. Rapid7 does not typically report on PUPs unless analysis of the software leads Rapid7 to conclude that its function is malicious.

Row

Incident Reports

An incident report is created when our MDR team responds to a confirmed malicious incident in your environment. This is a detailed report providing an overview of the incident, findings details, analysis, root cause, and recommended corrective actions to prevent the likelihood of recurrence and/or improve your ability to detect and respond to similar incidents in the future.

Row

Threat Hunting

The MDR service relies on multiple methods of compromise detection within client environments. In addition to real-time alerting MDR frequently performs targeted threat intelligence-driven hunting by querying forensically-relevant data available to Rapid7 Threat Hunters. If a hunt yields a positive identification of compromise, or potential for compromise, customers will be notified immediately, provided with remediation and mitigation recommendations and a full incident report within 24 hours of the conclusion of the investigation.

Row

Endpoints

% Endpoints Covered - This represents both the overall percentage of endpoints in your organization that have Insight Agents deployed and the percentage of endpoints the MDR team is able to monitor. It is calculated using the total number of endpoints that your organization asked us to monitor, or “Planned Endpoints” in this report, and the actual number of monitored endpoints, which are referred to as “Monitored Endpoints” in this report. The number of Total Endpoint Licenses is not included as part of this percentage.

Monitored Endpoints - The number of endpoints with an Insight Agent installed, and as a result, the number of endpoints the MDR team is able to monitor.

Planned Endpoints - The total number of endpoints the MDR team expected to monitor based on information your organization provided to the MDR team. If the number of planned endpoints is greater than the number of monitored endpoints, this means that there are still endpoints that the MDR team was asked to monitor without an Insight Agent installed. The Insight Agent must be installed on all endpoints that you want the MDR team to monitor.

Total Endpoint Licenses - This is the total number of licenses purchased by your organization, and specified in your contract. This may be higher than your Planned Endpoints based on your organization’s growth estimates and contingency plans.